Dependency Guardianby WestBayBerry

Legal

Privacy Policy

Effective May 14, 2026

Overview

WestBayBerry LLC ("WestBayBerry", "we", "us") operates the Dependency Guardian service at westbayberry.com. This policy explains what data we collect, how we use it, and your rights regarding that data.

We are a small, independent company. We collect only what we need to run the service and we do not sell your data.

What We Collect

Account information: email address, display name (optional), authentication method (email/password or Google OAuth).

Scan data: package names, versions, and risk scores from your dependency scans. We do not access or store your source code. We fetch package tarballs directly from the npm registry.

API keys: we store a cryptographic hash of your API key and a prefix for display. The full key is shown once at creation and never stored.

Billing information: payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription ID but never see or store your card number, bank account, or other payment details.

Usage data: IP addresses, browser type, pages visited, and timestamps. Collected through server logs and Google Analytics.

Audit logs: we log security relevant actions (login, API key creation, policy changes) with timestamps and IP addresses for security and compliance.

CLI Telemetry

The Dependency Guardian command-line tool is intentionally quiet. It contains no Sentry, PostHog, Google Analytics, or other usage-analytics SDK. It does send anonymous crash reports on by default (opt out with DG_TELEMETRY=0 or DO_NOT_TRACK=1). The CLI makes network calls in only these categories:

  • Scanning — package names and pinned versions are sent to our API to return a verdict. We pull the package artifacts from the public registry (npm or PyPI) on our side; we never receive your source code or file paths.
  • Anonymous crash reports — on by default. When the CLI hits an unhandled error it sends a single, identifier-free event with a classified error type, the CLI/Node versions, your OS/architecture, and which subcommand you ran — never the error message, stack trace, source, file paths, or package names. Opt out with DG_TELEMETRY=0 or DO_NOT_TRACK=1.
  • Authenticated product events — only fire when you are signed in with dg login. These power your dashboard (scan counts, install-block audit trail). Signing out stops them entirely.
  • Update check — a GET request to registry.npmjs.org (the public npm registry, not us) to see whether a newer CLI exists. Suppressed by CI=1.

The full breakdown of what the CLI sends — and what it never does — lives on the CLI telemetry docs page.

How We Use Your Data

  • Provide and operate the Dependency Guardian service
  • Authenticate your identity and manage your account
  • Process billing through Stripe
  • Send transactional emails (verification, password reset)
  • Monitor service health and debug errors
  • Improve the service based on aggregate usage patterns

We do not use your data for advertising, profiling, or automated decision making. We do not sell or rent your personal data to third parties.

Third Party Processors

We use the following services to operate Dependency Guardian:

  • Stripe: payment processing. Stripe Privacy Policy
  • Resend: transactional email delivery (verification, password reset emails)
  • Google Analytics & Google Ads: website analytics and advertising measurement. Only loaded if you accept cookies. Google Privacy Policy
  • Sentry: error monitoring. Receives error reports, IP addresses, and browser metadata when errors occur.
  • Cloudflare: CDN, DDoS protection, and DNS. Processes IP addresses and request metadata. Cloudflare Privacy Policy

Cookies

We use the following cookies:

  • Session cookie (essential): maintains your login session. HttpOnly, Secure.
  • tz (essential): stores your timezone for displaying timestamps correctly.
  • cookie_consent (essential): stores your cookie preference.
  • dg_did (essential): a random UUID that lets the free anonymous tier count scans per device on the public demo. No personal data, never shared. HttpOnly, Secure, SameSite=Lax, expires after 1 year. You can clear it any time; the next demo scan mints a fresh one.
  • _ga, _gid (analytics): Google Analytics cookies. Only set if you accept analytics cookies via the consent banner.

You can change your cookie preferences at any time by clearing the cookie_consent cookie from your browser, which will show the consent banner again on your next visit.

Data Retention

  • Account data: retained while your account is active. Deleted when you delete your account.
  • Scan history: retained while your account is active. Deleted on account deletion.
  • Anonymous scan IPs: stored at full precision for 30 days, then truncated to the network prefix (/24 IPv4, /48 IPv6). Used only for short-window abuse investigation and per-/24 quota enforcement.
  • Audit logs: anonymized (your user ID is removed) on account deletion and retained for up to one year for security compliance.
  • Billing records: retained by Stripe per their policies and applicable tax/legal requirements.

Your Rights

Under GDPR, CCPA, and similar laws, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: update your name and profile information from your Account Settings.
  • Deletion: delete your account and all associated data from your Account Settings, or by emailing us.
  • Portability: request an export of your data by emailing us.
  • Objection: opt out of analytics cookies via the consent banner.

To exercise any of these rights, reach out via our contact page. We will respond within 30 days.

Data Location

Our servers are located in the United States. If you are accessing the service from outside the US, your data will be transferred to and processed in the US. Cloudflare may cache content at edge locations worldwide.

Security

We protect your data with:

  • Passwords hashed with bcrypt
  • API keys stored as SHA 256 hashes
  • HTTPS everywhere via Cloudflare
  • CSRF protection on all forms
  • Rate limiting on authentication endpoints
  • Content Security Policy headers

No system is perfectly secure. If you discover a vulnerability, please reach out via our contact page.

Children

Dependency Guardian is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes

We may update this policy from time to time. We will post the updated version on this page with a new effective date. Your continued use of the service after changes constitutes acceptance of the updated policy.

Controller Identity and Contact

WestBayBerry LLC, United States, is the data controller responsible for the personal data described in this policy.

Questions about this policy, or to exercise your data rights? Reach out via our contact page.